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(54) Authentication method for mobile communications. 

(57) In the preliminary authentication stage, the 
mobile station (35) is authenticated by sending 
from the home network (30) to the roamed 
network (31), a plurality of pairs of first random 
numbers (RNDa^-.^RNDan) and calculation re- 
sults (SRESa 1 SRESa n ) of the cipher function 

(f), which calculation is performed at the home 
network using the secret key (ki) and the first 
random numbers (RNDa^.^RNDan), by send- 
ing, from the roamed network to the mobile 
station, third random numbers formed by coupl- 
ing second random numbers (RNDb 1 RNDb m ) 

produced at the roamed network with the first 
random numbers (RNDa! RNDa n ), by send- 
ing, from the mobile station to the roamed 
network, calculation results (SRE- 
Sa^.^SRESan, SRESb1,...,SRESb m )) of the 
cipher function (f), which calculation is perfor- 
med at the mobile station using the secret key 
(ki) and the sent third random numbers, and by 
confirming, at the roamed network, coinci- 
dence of the calculation results (SRE- 
Sa^-.^SRESan) sent from the mobile station 

with the calculation results (SRESa! SRESa n ) 

sent from the home network. In the main 
authentication, the mobile station is authenti- 
cated by using a pair of the second random 
number (RNDb 1; ...,RNDb m ) and of the calcu- 
lation result (SRESb^.^SRESbJ with respect 
to the second random number 
(RNDbi RNDbJ, sent from the mobile sta- 
tion. 
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FIELD OF THE INVENTION 

The present invention relates to an authentica- 
tion method for mobile communications. Particularly, 
the invention relates to an authentication method 
which can be used in mobile communication net- 
works with different algorithms, for identifying that a 
mobile subscriber accessing or roaming in a network 
different from his home network is a right subscriber 
in the home network. 

DESCRIPTION OF THE RELATED ART 

In the mobile communications, since the mobile 
subscribers are connected to a mobile communica- 
tion network via radio interfaces, the mobile commu- 
nication network has difficulty to confirm that the 
connected mobile subscriber is certainly a desired 
one. Therefore, it is required for the mobile communi- 
cation network to authenticate the connected mobile 
subscriber. 

As in such the radio environment, communication 
can be easily listened by any one, enough protection 
will be necessary for the authentication so that only 
the right subscribers are correctly authenticated. 

Thus, in the recent digital mobile communica- 
tions, a challenge-response (CR) authentication 
method based upon a secret key cryptography has 
been widely used. 

Referring to Fig. 1 which shows a principle of the 
CR authentication, this CR authentication method will 
be described. According to the CR authentication 
method, a mobile communication network and a mo- 
bile station belonging to the network have the same 
secret key cipher function f. The function f has two va- 
riables, one a secret key ki and the other a random 
number RND. As the secret key ki may be handled as 
a parameter, this cipher function will be represented 
by f ki (RND) and its result will be represented by 
SRES. 

The mobile network has secret keys {ki} of all the 
right mobile stations (subscribers) belonging to this 
network (S101). The right mobile stations have also 
the respective secret keys {ki} which are different 
from each other (S102). These secret keys {ki} are 
physically protected from illegal reading out. At start- 
ing the CR authentication, although not shown, the 
mobile station informs his identified number to the 
mobile network. The network then finds a secret key 
ki corresponding to this connected mobile station by 
retrieving its data base, and then generates at least 
one random number RND (S103). The generated 
RND (challenge) is sent to the mobile station. The mo- 
bile station calculates f ki (RND) using the received 
RND and his secret key ki (S104), and then sends 
back the result of the calculation SRES (response) to 
the network. Since the mobile network also has the 
same secret key ki and the cipherf unction f, the same 



calculation of f ki (RND) can be performed using the 
sent RND. The result of this latter calculation is com- 
pared with the result SRES from the mobile station 
(S105). If the result of f ki (RND) is equal to SRES, the 

5 authentication succeeds. Otherwise, it fails. 

As is described, according to the CR authentica- 
tion method, the secret key ki of the mobile station is 
not appeared on the radio interface. Only RND and 
SRES are transmitted between the mobile station 

10 and the network via this radio interface. Thus, the se- 
cret key ki will be securely protected from listening. 

Furthermore, since RND can be randomly select- 
ed by the network and the correct SRES changes de- 
pending upon the selected RND, any illegal mobile 

15 station is quite difficult to be authenticated as a right 
mobile station even if he sends SRES previously ob- 
tained by listening to the network. Therefore, the CR 
authentication method is an extremely excellent 
method for ensuring the security of mobile communi- 

20 cation system. Authentication methods describing 
this specification will utilize such the CR authentica- 
tion method with modification. 

It is called "roaming" that a mobile station is in 
communication by accessing a visited network which 

25 is different from his home network. This visited net- 
work accessed by the mobile station is called as a 
"roamed network". Before communication with the 
accessing mobile station, the roamed network is nec- 
essary for authenticating that this roaming mobile 

30 station is a right mobile subscriber registered in his 
home network. 

However, since the roamed network neither has 
a secret key of the roaming mobile station nor always 
uses the same cipher function as his home network, 

35 a particular process will be required for authenticating 
the roaming mobile station from that of the mobile sta- 
tion in his home network as follows. 

(1) In case the roamed network uses the same 
cipher function fas the home network, there are two 

40 methods of; 

(a) sending a secret key ki of the accessing mo- 
bile station from the home network to the roamed 
network, and 

(b) producing at least one pair of challenge-re- 
45 sponse {RND, SRES} which will be necessary for 

authentication at the home network using a se- 
cret key ki of the accessing mobile station, and 
sending the produced pair {RND, SRES} to the 
roamed network. 
so Fig. 2a shows the method of (a) wherein the 

home network sends the secret key ki of the roaming 
mobile station to the roamed network. In this method, 
the mobile station and the home network have the 
same cipher function f and the same secret parame- 
55 ter ki (S201 , S203), and the roamed network has the 
same cipher function (S202). If the mobile station re- 
quests roaming to the visited network with his identi- 
fication number, this roamed network informs this 
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identification number to his home network. The home 
network then finds a secret key ki corresponding to 
the roaming mobile station by retrieving its data base 
(S204). The found secret key ki is sent to the roamed 
network (S205). Thereafter, the usual CR authentica- 
tion processes already described are performed be- 
tween the mobile station and the roamed network us- 
ing this sent secret key ki. 

This method (a) is simple. However, since the se- 
cret key ki which is important for security is transmit- 
ted to the roamed network, high level protection can- 
not be expected. 

Fig. 2b shows the method of (b) wherein the 
home network produces a set of CR pairs which will 
be necessary for authentication, by using the secret 
key ki of the roaming mobile station, and sends them 
to the roamed network. In this case, only the mobile 
station and the home network have the same cipher 
function f and the same secret parameter ki (S211, 
S212). If the mobile station requests roaming to the 
visited network with his identification number, this 
roamed network informs this identification number to 
his home network. The home network then finds a se- 
cret key ki corresponding to the roaming mobile sta- 
tion by retrieving its data base (S21 3), and generates 
at least one set of random numbers {RND RND n } 
(S214). The home network then calculates f ki (RNDj) us- 
ing the generated RNDj (j=1 n) and the found secret 

key ki (S215), and sends backa set of CR pairs, namely 
the generated random numbers {RND RND n } and 
the results of the calculation {SRES^.^SRESp}, to 
the roamed network (S216). Thereafter, the usual CR 
authentication processes already described are per- 
formed between the mobile station and the roamed 
network. 

According to this method of (b), since a set of CR 
pairs must be transmitted to the roamed network, the 
amount of transmission will be increased. However, 
the secret key ki which is important for security is not 
appeared on the link between the networks causing 
high level protection to be expected. 

Generally, the roamed network requests and re- 
ceives a plurality of CR pairs from the home network 
at the first roaming of the mobile station, then at every 
authentication of that mobile station, one pair the re- 
ceived CR pairs stored in the roamed network will be 
used without requesting a new CR pair to the home 
network. After all the stored CR pairs corresponding 
to that mobile station are used for authentication, the 
roamed network will request and receive new set of 
CR pairs from the home network. 

(2) In case the roamed network does not have the 
same cipher function f as the home network. 

In this case, the aforementioned method (a) can- 
not be applied, and thus the method (b) has to be 
used. European standard digital mobile communica- 
tion system, namely GSM (Global System for Mobile 
communication) adopts this method (b). 



The method (b) wherein at least one CR pair is 
transmitted from the home network to the roamed 
network does not require that the networks have the 
same cipher function f. However, according to this 

5 method, the roamed network cannot use original ran- 
dom numbers for authentication. Also, according to 
this method, respective bit lengths of the random 
number and of calculation result for authentication in 
both the roamed network and the home network are 

10 required to be equal with each other. 

In general, networks with different cipher func- 
tions will use, for authentication, the random number 
and calculation result of different bit length. Thus, in 
a certain case wherein transmission of variable bit- 

15 length of the random number and of the calculation 
result is not supported by authentication protocol, 
enough information may not be transmitted through 
radio interfaces even if the above-mentioned method 
(b) is used. In such the case, good CR authentication 

20 cannot be expected. 

There are four cases of transmissions of the ran- 
dom number and of calculation result with different bit 
length, as follows. 

(A) Bit length of the random number in the 
25 roamed network is longer than that in the home 

network. 

In this case, since the roamed network can 
completely transmit via radio interface the ran- 
dom number from the home network to the roam- 
30 ing mobile station, no problem will occur. 

(B) Bit length of the random number in the 
roamed network is shorter than that in the home 
network. 

In this case, the roamed network cannot 
35 transmit all the bits of the random number from 

the home network to the roaming mobile station. 
Thus, the mobile station will receive incomplete 
random number resulting incorrect calculation of 
the cipher function. Therefore, correct authenti- 
40 cation at roaming cannot be expected in this 

case. 

(C) Bit length of the calculation result in the 
roamed network is longer than that in the home 
network. 

45 In this case, since the roamed network can 

completely transmit via radio interface the calcu- 
lation result from the home network to the roam- 
ing mobile station, no problem will occur. 

(D) Bit length of the calculation result in the 
so roamed network is shorter than that in the home 

network. 

In this case, the roamed network cannot 
transmit all the bits of the calculation result from 
the home network to the roaming mobile station. 
55 However, since the roamed network can obtain at 

least part of the calculation result from the mobile 
station in addition to the calculation result from 
the home network, although protection will be 
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lowered a little, authentication can be substan- 
tially performed. 

As aforementioned, according to the con- 
ventional authentication method, it is difficult to 
perform roaming in the case of (B). Since roam- 
ing will be requested between the networks in re- 
ciprocal, the above-mentioned trouble of (B) will 
certainly occur at the roaming of the networks us- 
ing different bit-length random number. 

SUMMARY OF THE INVENTION 

It is therefore an object of the present invention 
to provide a mobile communication authentication 
method, whereby transmission amount of information 
can be reduced while maintaining security of the com- 
munications. 

Another object of the present invention is to pro- 
vide a mobile communication authentication method, 
whereby roaming can be performed between net- 
works having different bit length of random number 
used for the authentication from each other. 

According to the present invention, a method for 
authenticating a mobile station which accesses for 
roaming a network different from a home network of 
the mobile station is provided. In this method, the mo- 
bile station and the home network have the same se- 
cret key and use the same cipher function. The meth- 
od includes two stages, namely a batch preliminary 
authentication stage and a main authentication 
stage. In the preliminary authentication stage, the 
mobile station is preliminarily authenticated by send- 
ing from the home network to the roamed network, a 
plurality of pairs of first random numbers and calcu- 
lation results of the cipher function, which calculation 
is performed at the home network using the secret 
key and the first random numbers, by sending, from 
the roamed network to the mobile station, third ran- 
dom numbers formed by coupling second random 
numbers produced at the roamed network with the 
first random numbers, by sending, from the mobile 
station to the roamed network, calculation results of 
the cipher function, which calculation is performed at 
the mobile station using the secret key and the sent 
third random numbers, and by confirming, at the 
roamed network, coincidence of the calculation re- 
sults sent from the mobile station with the calculation 
results sent from the home network. In the main au- 
thentication, the mobile station is authenticated by 
using a pair of the second random number and of the 
calculation result with respect to the second random 
number, sent from the mobile station. 

It is preferred that the number of the first random 
numbers is smaller than that of the second random 
numbers. 

It is also preferred that the third random numbers 
are sent from the roamed network in accordance with 
a sending order which has been rearranged in ran- 



dom. 

The batch preliminary authentication stage will 
be performed by using a safety communication line 
between the mobile station and the roamed network. 

5 Then, in the main authentication stage, CR pairs con- 
sisting of the second random numbers and the calcu- 
lation results of the cipher function based upon the 
second random number, which are obtained during 
the preliminary authentication stage and stored in the 

10 roamed network are used for authentication. Also, the 
roamed network obtains the calculation results of the 
CR pairs from the mobile station to be authenticated, 
in response to the second random numbers produced 
by the roamed network itself. It should be noted that 

15 during the preliminary authentication, the mobile sta- 
tion will behave as he is processing his normal au- 
thentication protocol. Furthermore, the second ran- 
dom numbers are combined with the first random 
number, and then sent to the mobile station with re- 

20 arranging its sending order in random. 

Therefore, according to the present invention, a 
mobile communication authentication method, 
whereby transmission amount of information can be 
reduced while maintaining security of the communi- 

25 cations can be provided. 

According to the present invention, an another 
method for authenticating a mobile station which ac- 
cesses for roaming a network different from a home 
network of the mobile station is provided. In the meth- 

30 od, the mobile station and the home network have the 
same secret key and use the same cipher function, 
and bit length of random numbers used in the roamed 
network is shorter than that used in the home net- 
work. The mobile station is authenticated by sending 

35 from the home network to the roamed network, cal- 
culation results of the cipher function, which calcula- 
tion is performed at the home network using the se- 
cret key and random numbers extended by means of 
an extension function to the bit length of the random 

40 numbers used in the home network, by sending, from 
the roamed network to the mobile station, random 
numbers before extension, by sending, from the mo- 
bile station to the roamed network, calculation results 
of the cipher function, which calculation is performed 

45 at the mobile station using the secret key and random 
numbers extended by means of an extension function 
to the bit length of the random numbers used in the 
home network, and by confirming, at the roamed net- 
work, coincidence of the calculation result sent from 

so the mobile station with the calculation result sentf rom 
the home network. 

The mobile station and the roamed network may 
have the extension functions, and the roamed net- 
work may produce random numbers and extend using 

55 the extension function bit length of the random num- 
bers. 

The mobile station and the home network may 
have the extension functions, and the home network 
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may produce random numbers and extend bit length 
of the random numbers using the extension function. 

The extension function may be a block cipher 
system of CBC mode. 

In the case that bit length of random numbers 5 
used in the roamed network is shorter than that used 
in the home network, the roamed network sends a 
random number having the shorter bit length to the 
mobile station. The mobile station will extend the re- 
ceived random number by using an extension func- 10 
tion provided therein to obtain a random number hav- 
ing the same bit length as that used in the home net- 
work. The mobile station then calculates the same 
cipher function using the same secret key as these 
provided in the home network in accordance with the 15 
extended random number, and sends the calculation 
result to the roamed network in order to compare it 
with the calculation result from the home network. 

Therefore, according to the present invention, a 
mobile communication authentication method where- 20 
by roaming can be performed between networks hav- 
ing different bit length of random number used for the 
authentication from each other can be provided. 

According to the present invention, a further 
method for authenticating a mobile station which ac- 25 
cesses for roaming a network different from a home 
network of the mobile station is provided. In this meth- 
od, the mobile station and the home network have the 
same secret key and use the same cipher function, 
and bit length of random numbers used in the roamed 30 
network is shorter than that used in the home net- 
work. The method includes two stages, namely a 
batch preliminary authentication stage and a main 
authentication stage. In the preliminary authentica- 
tion stage, the mobile station is authenticated by 35 
sending from the home network to the roamed net- 
work, a plurality of pairs of first random numbers and 
calculation results of the cipherf unction, which calcu- 
lation is performed at the home network using the se- 
cret key and the first random numbers, by sending, 40 
from the roamed network to the mobile station, third 
random numbers formed by coupling second random 
numbers produced and extended at the roamed net- 
work by means of an extension function to the bit 
length of the random numbers used in the home net- 45 
work with the first random numbers, by sending, from 
the mobile station to the roamed network, calculation 
results of the cipherf unction, which calculation is per- 
formed at the mobile station using the secret key and 
the sent third random numbers, and by confirming, at 50 
the roamed network, coincidence of the calculation 
results sent from the mobile station with the calcula- 
tion results sent from the home network. The main 
authentication stage authenticates the mobile station 
by using a pair of the second random number and of 55 
the calculation result with respect to the second ran- 
dom number, sent from the mobile station. 

It is preferred that the number of the first random 



numbers is smaller than that of the second random 
numbers. 

It is also preferred that the third random numbers 
are sent from the roamed network in accordance with 
a sending order which has been rearranged in ran- 
dom. 

According to the present invention, a still further 
method for authenticating a smart card connected to 
a mobile station, which accesses for roaming a net- 
work different from a home network of the smart card 
is provided. In the method, the smart card and the 
home network have the same secret key and use the 
same cipher function, and bit length of random num- 
bers used in the roamed network is shorter than that 
used in the home network. The method includes two 
stages, namely a batch preliminary authentication 
stage and a main authentication stage. In the prelim- 
inary authentication stage, the smart card is authen- 
ticated by sending from the home network to the 
roamed network, a plurality of pairs of first random 
numbers and calculation results of the cipher func- 
tion, which calculation is performed at the home net- 
work using the secret key and the first random num- 
bers, by sending, from the roamed network to the 
smart card, third random numbers formed by coupling 
second random numbers produced and extended at 
the roamed network by means of an extension func- 
tion to the bit length of the random numbers used in 
the home network with the first random numbers, by 
sending, from the smart card to the roamed network, 
calculation results of the cipherfunction, which calcu- 
lation is performed at the smart card using the secret 
key and the sent third random numbers, and by con- 
firming, at the roamed network, coincidence of the 
calculation results sent from the smart card with the 
calculation results sent from the home network. The 
main authentication stage authenticates the smart 
card connected to the mobile station by using a pair 
of the second random number and of the calculation 
result with respect to the second random number, 
sent from the smart card. 

It is preferred that the number of the first random 
numbers is smaller than that of the second random 
numbers. 

It is also preferred that the third random numbers 
are sent from the roamed network in accordance with 
a sending order which has been rearranged in ran- 
dom. 

According to the present invention, an another 
method for authenticating a smart card connected to 
a mobile station, which accesses for roaming a net- 
work different from a home network of the smart card 
is provided. In the method, the smart card and the 
home network have the same first secret key and use 
the same first cipher function, and the mobile station 
and the roamed network have the same second se- 
cret key and use the same second cipher function. 
The method includes two authentication stage, 
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namely a mobile station authentication stage and a 
subscriber authentication stage. In the mobile station 
authentication stage, the mobile station is authenti- 
cated by sending, from the roamed network to the 
mobile station at least one random number, by send- 
ing, from the mobile station to the roamed network, 
at least one calculation result of the second cipher 
function, which calculation is performed at the mobile 
station using the second secret key and the random 
number sent from the roamed network, and by con- 
firming, at the roamed network, coincidence of the 
calculation result sent from the mobile station with a 
calculation result calculated at the roamed network. 
The subscriber authentication stage authenticates 
the smart card by sending from the roamed network 
to the smart card at least one random number, by 
sending from the smart card to the roamed network, 
a least one calculation result of the first cipher func- 
tion, which calculation is performed at the smart card 
using the first secret key and the random number sent 
from the roamed network, and by confirming, at the 
roamed network, coincidence of the calculation result 
sent from the smart card with a calculation result sent 
from the home network. 

Preferably, the random numbers sent from the 
roamed network to the mobile station are produced at 
the roamed network by dividing a random number 
sent from the home network. 

Further objects and advantages of the present in- 
vention will be apparent from the following descrip- 
tion of the preferred embodiments of the invention as 
illustrated in the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a flow chart showing the operation of a 
conventional CR authentication method already 
described; 

Figs. 2a and 2b are flow charts showing the op- 
eration of an another conventional CR authenti- 
cation method already described; 
Fig. 3 schematically shows the constitution of a 
mobile communication system as a preferred em- 
bodiment according to the present invention; 
Fig. 4 schematically shows the constitution of a 
mobile station shown in Fig. 3; 
Fig. 5 which is illustrated in a separated form of 
Figs. 5A, 5B and 5C is a flow chart showing the 
operation of a batch preliminary authentication 
stage according to the embodiment of Fig. 3; 
Fig. 6 is a flow chart showing the operation of a 
main authentication stage according to the em- 
bodiment of Fig. 3; 

Fig. 7 which is illustrated in a separated form of 
Figs. 7A, 7B and 7C is a flow chart showing the 
operation of an another embodiment according to 
the present invention; 

Figs. 8a, 8b and 8c show examples of extension 



functions used in the embodiment of Fig. 7; 
Fig. 9 which is illustrated in a separated form of 
Figs. 9A, 9B and 9C is a flow chart showing the 
operation of a further embodiment according to 

5 the present invention; 

Fig. 10 which is illustrated in a separated form of 
Figs. 10A, 10B, 10C and 10D is a flow chart 
showing the operation of a batch preliminary au- 
thentication stage of a still further embodiment 

10 according to the present invention; 

Fig. 11 which is illustrated in a separated form of 
Figs. 11 A and 11 B is a flow chart showing the op- 
eration of a main authentication stage according 
to the embodiment of Fig. 10; and 

15 Fig. 12 which is illustrated in a separated form of 

Figs. 12A, 12B and 12C is a flow chart showing 
the operation of an another embodiment accord- 
ing to the present invention. 

20 DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Referring to Fig. 3 which schematically shows a 
constitution of a mobile communication system as a 
25 preferred embodiment according to the present in- 
vention, reference numeral 30 denotes a home net- 
work and 31 shows a roamed network. In the home 
network 30, there are switching stations 32, a base 
station 33 connected to the switching station 32 by a 
30 wire line and a data base 34 connected to the switch- 
ing station 32. A mobile station 35 if stayed within this 
network 30 as illustrated by a dotted line can be con- 
nected via a radio link to the base station 33. In the 
roamed network 31, there are switching stations 36, 
35 a base station 37 connected to the switching station 
36 by a wire line and a data base 38 connected to the 
switching station 36. The mobile station 35 roaming 
to this network 31 is now connected via a radio link 
to the base station 37. 
40 Fig. 4 schematically shows a constitution exam- 

ple of the mobile station 35 shown in Fig. 3. An anten- 
na 40 is connected in series to an RF unit 41 , a base- 
band processing unit 42 and a voice encoding and de- 
coding unit 43. The voice encoding and decoding unit 
45 43 is also connected to a speaker 44 and a micro- 
phone 45. A control unit 46 for controlling the opera- 
tion of the RF unit 41, base-band processing unit 42 
and voice encoding and decoding unit 43 is connect- 
ed to these units. To the control unit 46 an I/O inter- 
so face 47 for receiving a smart card 48 is also connect- 
ed. 

Fig. 5 shows the operation of a batch preliminary 
authentication stage according to this embodiment. 

In this stage, it is supposed that the communica- 
55 tion link between the mobile station 35 and the base 
station 37 of the roamed network 31 is a secured 
communication line protected from eavesdropping, 
such as a special wire communication line or a normal 
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radio communication line using cipher message. The 
mobile station 35 and the home network 30 have the 
same cipher function f and the same secret parame- 
ter ki assigned to this mobile station (S501 , S502). 

If the mobile station 35 requests a preliminary au- 
thentication to the visited network 31 with his identi- 
fication number, this roamed network 31 informs this 
with his identification number to his home network 
30. The home network 30 then finds a secret key ki 
corresponding to the roaming mobile station 35 by re- 
trieving its data base 34 (S503), and generates a set 

of random numbers {RNDai RNDa n } (S504). The 

home network 30 then calculates f ki (RNDaj) using the 
generated RNDaj (j=1,...,n) and the found secret key 
ki (S505), and sends a set of CR pairs, namely the 
generated random numbers {RNDa^.^RNDan} of 62 
bits and the results of the calculation {SRE- 
Sa! SRESa n } of 32 bits, to the roamed network 31 . 

The roamed network 31 which has been received 
a set of the CR pairs generates a set of random num- 
bers {RNDb 1 ,...,RNDb m } (S506). The roamed network 
then couples these calculated random numbers 
{RNDbi RNDb m } with the received random num- 
bers {RNDa^-.^RNDan}, and sends in parallel or in 
series (parallel in the example of Fig. 5) the coupled 
random numbers to the mobile station 35 by rearrang- 
ing the order of the sending numbers in random. The 
above-mentioned n is an integer greater one and m is 
an integer much greater than n (m » n). In an unlim- 
ited example, m and n may be selected as m = 100 
and n = 10. 

The mobile station 35 calculates SRESaj = 

f ki (RNDaj) 0=1 n) and SRESbj = f ki (RNDbj) 

(j=1,...,m) using the received (n+m) random numbers, 
the cipher function f and his secret key ki (S507), and 
then sends back to the roamed network 31 the results 

of the calculation {SRESai SRESa n , SRES^ 

SRESb m } which are arranged in random order. The 
roamed network 31 resumes the order of received 
calculation results in accordance with the sending or- 
der thereof, and thus obtains correctly ordered {SRE- 

Sa! SRESa n } and {SRESbi SRESbj. Then, the 

roamed network 31 compares the result {SRE- 
Sa S RE Sa n } calculated by and received from the 
mobile station 35 with the result {SRESa^.^SRESan} 
calculated by and received from the home network 30 
whether they coincide with each other (S508). If all of 
them coincide with each other, the mobile station 35 
is deemed as a right mobile subscriber, and thus the 
random numbers {RNDb^-.^RNDbm} and the calcula- 
tion results {SRESb 1 ,...,SRESb m } from the mobile 
station 35 are stored in the roamed network 31 so as 
to use in the main authentication as CR pairs (S509). 
If one or more results do not coincide with each other, 
it is determined that the batch preliminary authentica- 
tion fails, and then the results {SRESb^.^SRESbm} 
are abandoned. 

Since the sending order of the random number 



from the roamed network 31 has been rearranged, 
the mobile station 35 cannot know that which of 

{RNDai RNDa n , RNDbi RNDb m } corresponds to 

the currently received random number. Therefore, if 

5 all the calculation results with respect to 
{RNDa^.-^RNDan} coincide as aforementioned, not 
only the mobile station 35 is deemed as a right one 

but also a set of the CR pairs {RNDbi RNDb m } and 

{SRESb^.^SRESbm} are considered as legal CR 

10 pairs. 

After succeeding the above-mentioned batch 
preliminary authentication of the mobile station 35, 
the roamed network 31 can start the main authenti- 
cation shown in Fig. 6 at any time when this mobile 

15 station 35 requests roaming via the radio interface. 

When the mobile station 35 requests roaming with 
his identification number, since the results of the prelim- 
inary authentication (CR pairs) {RNDbi RNDb m } and 

{SRESb^.^SRESbm} have already stored in the 

20 roamed network 31 (S601), the network 31 sends 
one of the random numbers RNDbj of 64 bits to the 
mobile station 35. The mobile station 35 then calcu- 
lates SRESbj = f ki (RNDbj) using the received RNDbj, 
its cipher function f and its secret key ki (S602), and 

25 sends back the calculated result SRESbj of 32 bits to 
the roamed network 31 . The result of this calculation 
SRESbj is compared with the corresponding result 
SRESbj stored in the roamed network at the prelim- 
inary authentication stage (S603). If they coincide 

30 with each other, the main authentication succeeds. 
Otherwise, it fails. 

It should be noted that at every main authentica- 
tion of this mobile station 35, one pair of the CR pairs 
stored in the roamed network 31 at the batch prelim- 

35 inary authentication will be used. At a roaming from 
this mobile station 35 after all the stored CR pairs of 
this station 35 have been used, new preliminary au- 
thentication will be required. 

In the main authentication stage, the random 

40 numbers {RNDb^-.^RNDbm} which once sent to the 
mobile station are used again. Thus, if these numbers 
were eavesdropped during the preliminary authenti- 
cation stage, the eavesdropper may disguise as a 
right subscriber at the main authentication. There- 

45 fore, the communication line between the mobile sta- 
tion and the roamed network during the preliminary 
authentication should be a secured communication 
line protected from eavesdropping. 

In order to simplify, it has been described that the 

so mobile station itself has the cipher function and the 
secret key. However, in the many mobile communica- 
tion systems, smart cards which store these cipher 
functions and assigned secret keys may be provided. 
In such the cases, during the preliminary authentica- 

55 tion, only the smart cards may be connected to the 
roamed network by inserting them into dedicated wire 
line terminals in the roamed network instead of con- 
necting via the radio interfaces so that the communi- 
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cation line between the mobile station and the 
roamed network is secured from eavesdropping. 

As will be apparent from the above-description, 
according to this embodiment, the roamed network 
can obtain a desired number of CR pairs from the ran- 
dom numbers generated by itself and the calculation 
results calculated by the mobile station in accordance 
with the above random numbers without receiving a 
large number of the CR pairs from the home network. 
Since the number n of the random numbers sent from 
the home network and used for the preliminary au- 
thentication is much less than the number m of the 
random numbers generated in the roamed network 
(m » n), the amount of information transmitted be- 
tween the networks can be extremely reduced. Fur- 
thermore, this method will be effective in case the 
roamed network is impossible for calculating the ciph- 
er function f. 

Fig. 7 shows the operation of an another embodi- 
ment according to the present invention. The consti- 
tution of a mobile communication system and the 
constitution of a mobile station are the same as these 
shown in Figs. 3 and 4. 

Th is em bod i me nt concerns a mob i le commu n ica- 
tion system having an authentication protocol where- 
in the roamed network is allowed to produce random 
numbers. In this embodiment, the mobile station 35 
and the home network 30 have the same cipherfunc- 
tion f and the same secret parameter ki assigned to 
this mobile station (S701 , S703). Bit length of the ran- 
dom numbers used in the home network 30 and in the 
mobile station 35 is 128 bits, and bit length of the cal- 
culation results used therein is 32 bits (S701, S703). 
The roamed network 31, on the other hand, has a 
cipher function different from f. Bit length of the ran- 
dom numbers used in this roamed network 31 is 64 
bits and bit length of its calculation result is for exam- 
ple 32 bits (S702). Furthermore, the mobile station 35 
and the roamed network 31 are provided with exten- 
sion functions E( ) for extending the bit length from 64 
bits to 128 bits. 

If the mobile station 35 requests roaming to the 
visited network 31 with his identification number, this 
roamed network 31 informs this with his identification 
number to his home network 30. The home network 
30 then finds a secret key ki corresponding to the 
roaming mobile station 35 by retrieving its data base 
34 (S704). The roamed network 31 then generates a 
set of random numbers {RND^-.^RNDn} of 64 bits 
(S705), and produces extended random numbers 
{RND'^.-.jRND'n} of 128 bits by applying the exten- 
sion function E( ) to the 64-bits random numbers 
{RNDi RND n } (S706). The extended random num- 
bers {RND' RND' n } are sent to the home network 
30. Thus, the home network 30 calculates f ki (RND'j) 
using the received RND'j (j=1,...,n) and the found se- 
cret key ki (S707). The results of the calculation 
{SRESi SRES n } of 32 bits are sent back to and 



stored in the roamed network 31 as sets of the ran- 
dom numbers, their extended random numbers and 
their calculated results {RNDj, RND'j, SRESj) 
(j=1,..,n). 

5 At the authentication of the mobile station, the 

roamed network 31 extracts an unused set of the ran- 
dom number, its extended random number and its 
calculated result {RNDj, RND'j, SRESj} from the stor- 
ed these sets. Then, the random number RNDj in this 

10 extracted set is sent to the mobile station 35 via radio 
interface. The mobile network 35 produces extended 
random numbers RND'j of 1 28 bits by applying the ex- 
tension function E( ) to RNDj (S708), and then calcu- 
lates SRESj = f ki (RND'j) using the extended RND'j and 

15 his secret key ki (S709). The result of the calculation 
SRESj of 32 bits is sent back to the roamed network 
31. Then, the roamed network 31 compares the result 
SRESj calculated by and received from the mobile 
station 35 with the result SRESj stored therein wheth- 

20 er they coincide with each other (S71 0). If they coin- 
cide with each other, the authentication succeeds. 
Otherwise, it fails. 

There are many extension functions. Figs. 8a, 8b 
and 8c show simple examples of these extension 

25 functions. The most simple extension function is 
shown in Fig. 8a or 8b, wherein 64-bits input is insert- 
ed into upper (right) or lower (left) half bits of 128 bits 
output and the remaining half bits are filled with "0" 
or fixed numeral. However, since it will be easily re- 

30 vealed from the received output that an extension 
function is utilized to produce such the long bit output, 
using of these extension functions is undesirable. 
For an extension function, it is necessary that; 

(1) the input value of 64 bits cannot be easily as- 
35 sumed from the output of 128 bits, and 

(2) whether extended 128 bits output or original 
128 bits output cannot be easily assumed from 
the received output. 

A block cipher system of CBC mode shown in Fig. 

40 8c may be an example of the extension function 
which satisfies both the above-mentioned conditions 
(1) and (2). In the figure, reference numeral 80 de- 
notes an exclusive OR circuit and 81 a block cipher 
circuit for enciphering 64 bits input, namely for calcu- 

45 lating a function F( ) with respect to its input of 64 bits. 
If the input of this system is represented by M., of 64 
bits, corresponding output of the circuit 81 will be 
Ci = F(Mi). As this output is fedback and applied to 
the exclusive OR circuit 80, the next output C 2 will be 

so C 2 = F{F(M 1 ) e MJ. An extended 128 bits output will 
be obtained by coupling these 64 bits outputs C, and 
C 2 as the upper half bits and lower half bits of the 128 
bits output, respectively. 

According to this embodiment, although random 

55 numbers transmitted between the mobile station and 
the roamed network via radio interface are 64-bits 
random numbers, the mobile station can perform the 
authentication using random numbers of 128 bits, 
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which authentication is the same as that in the home 
network. 

Fig. 9 shows the operation of a further embodi- 
ment according to the present invention. The consti- 
tution of a mobile communication system and the 
constitution of a mobile station are also the same as 
these shown in Figs. 3 and 4. 

This embodiment concerns a mobile communica- 
tion system having an authentication protocol where- 
in the home network is allowed to produce random 
numbers of 64 bits. In this embodiment, also, the mo- 
bile station 35 and the home network 30 have the 
same cipher function f and the same secret parame- 
ter ki assigned to this mobile station (S901 , S903). Bit 
length of the random numbers used in the home net- 
work 30 and in the mobile station 35 is 128 bits, and 
bit length of the calculation results used therein is 32 
bits (S901, S903). The roamed network 31, on the 
other hand, has a cipher function different from f. Bit 
length of the random numbers used in this roamed 
network 31 is 64 bits and bit length of its calculation 
result is for example 32 bits (S902). Furthermore, the 
mobile station 35 and the home network 30 are pro- 
vided with extension functions E( ) for extending the 
bit length from 64 bits to 128 bits. 

If the mobile station 35 requests roaming to the 
visited network 31 with his identification number, this 
roamed network 31 informs this with his identification 
number to his home network 30. The home network 
30 then finds a secret key ki corresponding to the 
roaming mobile station 35 by retrieving its data base 
34 (S904). The home network 30 then generates a set 

of random numbers {RNDi RND n } of 64 bits 

(S905), and produces extended random numbers 
{RND' 1 ,...,RND' n } of 128 bits by applying the exten- 
sion function E( ) to the 64-bits random numbers 

{RNDi RND n } (S906). Next, the home network 30 

calculates f ki (RND'j) using the calculated RND'j 
(j=1 ,...,n) and the found secret key ki (S907). The gen- 
erated random numbers {RND RND n } of 64 bits 
and the results of the calculation {SRES^.^SRESp} 
of 32 bits are sent to and stored in the roamed net- 
work 31 as CR pairs of {RNDj, SRESj} (j=1 n). 

At the authentication of the mobile station, the 
roamed network 31 extracts an unused CR pair of the 
random number and its calculated result {RNDj, 
SRESj} from the stored these CR pairs. Then, the ran- 
dom number RNDj of this extracted pair is sent to the 
mobile station 35 via radio interface. The mobile net- 
work 35 produces extended random numbers RND'j 
of 128 bits by applying the extension function E( ) to 
RNDj (S908), and then calculates SRESj = f ki (RND'j) 
using the extended RND'j and his secret key ki 
(S909). The result of the calculation SRES of 32 bits 
is sent back to the roamed network 31. Then, the 
roamed network 31 compares the result SRESj calcu- 
lated by and received from the mobile station 35 with 
the result SRESj stored therein whether they coincide 



with each other (S910). If they coincide with each 
other, the authentication succeeds. Otherwise, it 
fails. 

This embodiment differs from the embodiment of 
5 Fig. 7 in that the home network, not the roamed net- 
work, has an extension function used for extending 
the random numbers and that the random number of 
64 bits are sent from the home network to the roamed 
network. 

10 Figs. 10 and 11 show the operation of a still fur- 

ther embodiment according to the present invention. 
The constitution of a mobile communication system 
and the constitution of a mobile station are also the 
same as these shown in Figs. 3 and 4. 

15 This embodiment concerns a mobile communica- 

tion system having an authentication protocol where- 
in the roamed network 31 is not allowed to produce 
random numbers. 

The authentication process in this embodiment 

20 consists of two stages of a batch preliminary authen- 
tication stage, and a main authentication stage. In 
this embodiment, furthermore, a smart card 48 hav- 
ing safety a cipher function and a secret key, and per- 
forming the preliminary authentication operation and 

25 most of the main authentication operation is provided. 
Thus, the mobile station 35 will take partial charge of 
radio communication operation other than that per- 
formed by the smart card. It is supposed that the 
smart card 48 according to the embodiment has its 

30 own identification number. In another embodiment, 
either only the mobile station may have its identifica- 
tion number or both the mobile station and the smart 
card may have their respective identification num- 
bers. 

35 Fig. 10 shows the operation of the batch prelim- 

inary authentication stage according to this embodi- 
ment. 

In this stage, it is supposed that the communica- 
tion link between the smart card 48 and the roamed 

40 network 31 is a secured communication line protect- 
ed from eavesdropping, such as a special wire com- 
munication line or a normal radio communication line 
using cipher message. The smart card 48 and the 
home network 30 have the same cipher function f and 

45 the same secret parameter ki assigned to this smart 
card (S1001, S1003). Bit length of the random num- 
bers used in the home network 30 and in the smart 
card 48 is 128 bits, and bit length of the calculation 
results used therein is 32 bits (S1001, S1003, S1101 

so of Fig. 11). The roamed network 31, on the other 
hand, has a cipher function different from f. Bit length 
of the random numbers used in this roamed network 
31 is 64 bits and bit length of its calculation result is 
for example 32 bits (S1002, S1102 of Fig. 11). Fur- 

55 thermore, the mobile station 35 and the roamed net- 
work 31 are provided with extension functions E( ) for 
extending the bit length from 64 bits to 128 bits. 
If the smart card 48 requests preliminary authen- 
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tication to the roamed network 31 with its identifica- 
tion number, this roamed network 31 informs this with 
his identification number to his home network 30. The 
home network 30 then finds a secret key ki corre- 
sponding to this smart card by retrieving its data base 
34 (S1004), and generates a set of random numbers 

{RNDai RNDa n } (S1005) of 128 bits. The home 

network 30 then calculates f ki (RNDaj) using the gen- 
erated RNDaj (j=1,...,n) and the found secret key ki 
(S1006), and sends back a set of CR pairs, namely 
the generated random numbers {RN Da RNDa n } of 
128 bits and the result of the calculation {SRE- 
Sai SRESa n } of 32 bits, to the roamed network 31 . 

The roamed network 31 which has been received 
a set of CR pairs generates a set of another random 
numbers {RNDb 1 ,...,RNDb m } of 64 bits (S1007), and 

produces extended random numbers {RNDb'i 

RNDb' m } of 128 bits by applying the extension func- 
tion E( ) to the 64-bits random numbers {RNDbi,..., 
RNDb m } (S1008). The roamed network then couples 
these extended random numbers {RNDbV— ,RNDb' m } 

with the received random numbers {RNDai RNDa n }, 

and sends in parallel or in series (parallel in the exam- 
ple of Fig. 10) these coupled random numbers of 128 
bits to the smart card 48 by rearranging the order of 
the sending numbers in random. The above- 
mentioned n is an integer greater one and m is an in- 
teger much greater than n (m » n). In an unlimited ex- 
ample, m and n may be selected as m = 1 00 and n = 1 0. 

The smart card 48 calculates SRESaj = f ki (RNDaj) 

0=1 ,...,n) and SRESbj f ki (RNDb'j) (j=1 m) using the 

received (n+m) random numbers, the cipher function 
f and his secret key ki (S1009), and then sends back 
to the roamed network 31 the results of the calcula- 
tion {SRESa^-.^SRESan, SRESb^.^SRESb™} which 
are arranged in random order. The roamed network 
31 resumes the order of received calculation results 
in accordance with the sending order thereof, and 
thus obtains correctly ordered {SRESa^.^SRESap} 
and {SRESb^.^SRESbm}. Then, the roamed net- 
work 31 compares the result {SRESa.|,...,SRESa n } 
calculated by and received from the smart card 48 

with the result {SRESai SRESa n } calculated by 

and received from the home network 30 whether they 
coincide with each other (S1010). If all of them coin- 
cide with each other, the smart card 48 is deemed as 
a right subscriber, and thus the random numbers 

{RNDbi RNDb m } and the calculation results 

{SRESb^.^SRESbJ from the smart card 48 are 
stored in the roamed network 31 so as to use in the 
main authentication as CR pairs (S1011). If one or 
more results do not coincide with each other, it is de- 
termined that the batch preliminary authentication 
fails, and then the results {SRESb^.^SRESbm} are 
abandoned. 

Since the sending order of the random number 
from the roamed network 31 has been rearranged, 
the smart card 48 cannot know that which of 



{RNDa 1 ,...,RNDa n ,RNDb 1 ,...,RNDb m } corresponds to 
the currently received random number. Therefore, if 
all the calculation results with respect to 
{RNDa^-.^RNDan} coincide as aforementioned, not 
5 only the smart card 48 is considered as a rig ht one but 
also a set of the CR pairs {RNDb^.^RNDbm} and 

{SRESbi SRESb m } are considered as legal CR 

pairs. 

After succeeding the above-mentioned batch 
10 preliminary authentication of the smart card 48, the 
roamed network 31 can start the main authentication 
shown in Fig. 11 at any time when this smart card 48 
requests roaming via the mobile station 35 and the ra- 
dio interface. 

15 When the smart card 48 requests roaming with his 
identification number via the mobile station 35, since 
the results of the preliminary authentication (CR pairs) 
{RNDbi RNDb m } and {SRESbi SRESbj have al- 
ready stored in the roamed network 31 (S1103), the 

20 network 31 sends one of the random numbers RNDbj 
of 64 bits to the mobile station 35. The mobile station 
35 produces extended random number RNDb'j of 128 
bits by applying the extension function E( ) to the re- 
ceived 64-bits random number RNDbj (S1104), and 

25 then sends this extended random number RNDb'j to 
the smart card 48. The smart card calculates SRESbj 
= f ki (RNDb'j) using the received RNDb'j, its cipher 
function f and its secret key ki (S1105), and sends 
back the calculated result SRESbj of 32 bits to the 

30 roamed network 31 via the mobile station 35. The re- 
sult of this calculation SRESbj is compared with the 
corresponding result SRESbj stored in the roamed 
network at the preliminary authentication stage 
(S1106). If they coincide with each other, the main au- 

35 thentication succeeds. Otherwise, it fails. 

As will be apparent from the above-description, 
according to the present invention, roaming can be 
performed between networks which have different 
cipher functions for authentication and use random 

40 numbers of different bit length each other. In near fu- 
ture, many of smart cards which can share a part of 
authentication operation will be used for roaming to 
their visited networks. In such the case, if each of the 
mobile stations belonging to the visited networks has 

45 an appropriate function for extending the length of the 
random numbers, the smart cards can easily perform 
the roaming to any of their visited networks using ran- 
dom numbers of a shorter bit length than that in the 
smart cards. 

so Fig. 12 shows the operation of an another em- 

bodiment according to the present invention. The 
constitution of a mobile communication system and 
the constitution of a mobile station are also the same 
as these shown in Figs. 3 and 4. 

55 This embodiment concerns a mobile communica- 

tion system having an authentication protocol where- 
in the roamed network 31 separately manages the 
mobile station 35 and the smart card 48, and wherein 
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the radio interface between the roamed network 31 
and the mobile station 35 is allowed to transmit only 
random numbers of for example 64 bits. 

The authentication process in this embodiment 
consists of two stages of an authentication for the mo- 
bile station (mobile station authentication), and an 
authentication for the smart card (subscriber authen- 
tication). In this embodiment, furthermore, the mobile 
station belongs to this roamed network and thus it will 
be authenticated in accordance with the authentica- 
tion process of this roamed network. Namely, the mo- 
bile station i (35) and the roamed network 31 (which 
is a home network for this mobile station) have the 
same cipher function g and the same secret parame- 
ter ki assigned to this mobile station (S1202, S1203). 
When a random number of 64 bits is received from the 
roamed network 31, the mobile station conducts a 
cipher calculation and then sends the result thereof 
TRES' to the roamed network. On the other hand, the 
smart card will be authenticated in accordance with 
the authentication process of the home network 30. 
Namely, the smart card m (48) and the home network 
30 have the same cipher function f and the same se- 
cret parameter km assigned to this smart card 
(S1201, S1204). When a random number of 128 bits 
is received from the home network 30, the smart card 
conducts a cipher calculation and then sends the re- 
sult thereof SRES' to the roamed network. 

When the smart card 48 requests roaming to the 
roamed network 31 with its identification number via 
the mobile station 35, this roamed network 31 informs 
this with his identification number to his home net- 
work 30. The home network 30 then finds a secret key 
km corresponding to this smart card by retrieving its 
data base 34 (S1205), and generates a random num- 
ber RND (S1206) of 128 bits. The home network 30 
then calculates SRES = f km (RND) using the generat- 
ed RND and the found secret key km (S1207), and 
sends back a CR pair, namely the generated random 
number RND of 128 bits and the result of the calcu- 
lation SRES of 32 bits, to the roamed network 31 . 

When the mobile station requests accessing to 
the roamed network 31 with its identification number, 
this roamed network finds a secret key ki correspond- 
ing to the mobile station by retrieving its data base 38 

(51208) . After receiving the CR pair (RND, SRES) 
from the home network 30, the roamed network div- 
ides this received random number RND of 128 bits 
into two random numbers R1 and R2 of 64 bits 

(51209) . 

The divided random number R1 of 64 bits is sent 
to the mobile station 35 as a random number for mo- 
bile station authentication. The mobile station stores 
the received R1 and calculates TRES' = gki(R1) by us- 
ing the received random number R1 , the cipher func- 
tion g and his secret key ki (S1210). The calculated 
result TRES' of 32 bits is sent back to the roamed net- 
work 31. 



The roamed network 31 calculates g k i(R1) using 
the divided random number R1, the cipher function g 
and the found secret key ki, and confirms that its re- 
sult gki(R1) is equal to the result TRES' calculated by 

5 and received from the mobile station 35 (S1211). 
Then, the roamed network 31 sends the other divided 
random number R2 of 64 bits to the mobile station 35. 
The mobile station 35 couples this random number 
R2 with the stored random number R1 to reproduce 

10 the random number RND of 128 bits, and sends it to 
the smart card as a random number for subscriber au- 
thentication. The smart card calculates SRES' = 
f km (RND) by using the received random number RND, 
the cipher function f and his secret key km (S1212). 

15 The calculated result SRES' of 32 bits is sent back to 
the roamed network 31. 

The roamed network 31 confirms that the stored 
result SRES is equal to the result SRES' calculated 
by and received from the smart card (S1213). 

20 According to this embodiment, as above- 

described, a plurality of authentications are effected 
in the roamed network by using the divided random 
numbers which is divided to have a bit length appro- 
priate to be used in this roamed network. The mobile 

25 network can use the random number having a longer 
bit length as that in the home network by coupling a 
plurality of the divided random numbers. In stead of 
generating the random numbers twice, a longer bit 
random number is divided into a plurality of random 

30 numbers with a shorter bit length according to this 
embodiment. 

Although the authentication is performed twice in 
this embodiment, three or more times of authentica- 
tion may be possible with the similar advantages. 

35 Many widely different embodiments of the pres- 

ent invention may be constructed without departing 
from the spirit and scope of the present invention. It 
should be understood that the present invention is not 
limited to the specific embodiments described in the 

40 specification, except as defined in the appended 
claims. 



Claims 

45 

1. A mobile communication authentication method 
for authenticating a mobile station which access- 
es for roaming a network different from a home 
network of the mobile station, said mobile station 

so and said home network having the same secret 

key and using the same cipher function, said 
method comprising the steps of: 

preliminarily authenticating said mobile 
station by sending from said home network to 

55 said roamed network, a plurality of pairs of first 

random numbers and calculation results of the 
cipher function, said calculation being performed 
at said home network using said secret key and 
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said first random numbers, sending, from said 
roamed network to said mobile station, third ran- 
dom numbers formed by coupling second random 
numbers produced at said roamed network with 
said first random numbers, sending, from said 5 
mobile station to said roamed network, calcula- 
tion results of the cipher function, said calcula- 
tion being performed at said mobile station using 
said secret key and said sent third random num- 
bers, and confirming, at said roamed network, 10 
coincidence of the calculation results sent from 
said mobile station with the calculation results 
sent from said home network; and 

authenticating said mobile station by us- 
ing a pair of said second random number and of 15 
said calculation result with respect to the second 
random number, sent from said mobile station. 

The method as claimed in claim 1, wherein the 
number of said first random numbers is smaller 20 
than that of said second random numbers. 

The method as claimed in claim 1, wherein said 
third random numbers are sent from said roamed 
network in accordance with a sending order rear- 25 
ranged in random. 

A mobile communication authentication method 
for authenticating a mobile station which access- 
es for roaming a network different from a home 30 
network of said mobile station, said mobile sta- 
tion and said home network having the same se- 
cret key and using the same cipher function, bit 
length of random numbers used in said roamed 
network being shorter than that used in said 35 
home network, said method comprising the steps 
of: 

sending from said home network to said 
roamed network, calculation results of the cipher 
function, said calculation being performed at said 40 
home network using said secret key and random 
numbers extended by means of an extension 
function to the bit length of the random numbers 
used in said home network, sending, from said 
roamed network to said mobile station, random 45 
numbers before extension, sending, from said 
mobile station to said roamed network, calcula- 
tion results of the cipher function, said calcula- 
tion being performed at said mobile station using 
said secret key and random numbers extended 50 
by means of an extension function to the bit 
length of the random numbers used in said home 
network, and confirming, at said roamed net- 
work, coincidence of the calculation result sent 
from said mobile station with the calculation re- 55 
suit sent from said home network. 

The method as claimed in claim 4, wherein said 



mobile station and said roamed network have the 
extension functions, and wherein said roamed 
network produces random numbers and extends 
using said extension function bit length of the ran- 
dom numbers. 

6. The method as claimed in claim 4, wherein said 
mobile station and said home network have the 
extension functions, and wherein said home net- 
work produces random numbers and extends bit 
length of the random numbers using the exten- 
sion function. 

7. The method as claimed in claim 4, wherein said 
extension function is a block cipher system of 
CBC mode. 

8. A mobile communication authentication method 
for authenticating a mobile station which access- 
es for roaming a network different from a home 
network of said mobile station, said mobile sta- 
tion and said home network having the same se- 
cret key and using the same cipher function, bit 
length of random numbers used in said roamed 
network being shorter than that used in said 
home network, said method comprising the steps 
of: 

preliminarily authenticating said mobile 
station by sending from said home network to 
said roamed network, a plurality of pairs of first 
random numbers and calculation results of the 
cipher function, said calculation being performed 
at said home network using said secret key and 
said first random numbers, sending, from said 
roamed network to said mobile station, third ran- 
dom numbers formed by coupling second random 
numbers produced and extended at said roamed 
network by means of an extension function to the 
bit length of the random numbers used in said 
home network with said first random numbers, 
sending, from said mobile station to said roamed 
network, calculation results of the cipher func- 
tion, said calculation being performed at said mo- 
bile station using said secret key and said sent 
third random numbers, and confirming, at said 
roamed network, coincidence of the calculation 
results sent from said mobile station with the cal- 
culation results sent from said home network; 
and 

authenticating said mobile station by us- 
ing a pair of said second random number and of 
said calculation result with respect to the second 
random number, sent from said mobile station. 

9. The method as claimed in claim 8, wherein the 
number of said first random numbers is smaller 
than that of said second random numbers. 
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10. The method as claimed in claim 8, wherein said 
third random numbers are sent from said roamed 
network in accordance with a sending order rear- 
ranged in random. 

5 

11. A mobile communication authentication method 
for authenticating a smart card connected to a 
mobile station, which accesses for roaming a net- 
work different from a home network of said smart 
card, said smart card and said home network 10 
having the same secret key and using the same 
cipher function, bit length of random numbers 
used in said roamed network being shorter than 

that used in said home network, said method 
comprising the steps of: 15 

preliminarily authenticating said mobile 
station by sending from said home network to 
said roamed network, a plurality of pairs of first 
random numbers and calculation results of the 
cipher function, said calculation being performed 20 
at said home network using said secret key and 
said first random numbers, sending, from said 
roamed network to said smart card, third random 
numbers formed by coupling second random 
numbers produced and extended at said roamed 25 
network by means of an extension function to the 
bit length of the random numbers used in said 
home network with said first random numbers, 
sending, from said smart card to said roamed 
network, calculation results of the cipher func- 30 
tion, said calculation being performed at said 
smart card using said secret key and said sent 
third random numbers, and confirming, at said 
roamed network, coincidence of the calculation 
results sent from said smart card with the calcu- 35 
lation results sent from said home network; and 

authenticating said smart card connected 
to said mobile station by using a pair of said sec- 
ond random number and of said calculation result 
with respect to the second random number, sent 40 
from said smart card. 



and said roamed network having the same sec- 
ond secret key and using the same second cipher 
function, said method comprising the steps of: 

authenticating said mobile station by 
sending, from said roamed network to said mo- 
bile station at least one random number, sending, 
from said mobile station to said roamed network, 
at least one calculation result of the second ciph- 
er function, said calculation being performed at 
said mobile station using said second secret key 
and the random number sent from said roamed 
network, and confirming, at said roamed net- 
work, coincidence of the calculation result sent 
from said mobile station with a calculation result 
calculated at said roamed network; and 

authenticating said smart card by sending 
from said roamed network to said smart card at 
least one random number, sending from said 
smart card to said roamed network, a least one 
calculation result of the first cipher function, said 
calculation being performed at said smart card 
using said first secret key and the random num- 
ber sent from said roamed network, and confirm- 
ing, at said roamed network, coincidence of the 
calculation result sent from said smart card with 
a calculation result sent from said home network. 

15. The method as claimed in claim 14, wherein the 
random numbers sent from said roamed network 
to said mobile station are produced at said 
roamed network by dividing a random number 
sent from said home network. 



12. The method as claimed in claim 11, wherein the 
number of said first random numbers is smaller 
than that of said second random numbers. 45 



13. The method as claimed in claim 11, wherein said 
third random numbers are sent from said roamed 
network in accordance with a sending order rear- 
ranged in random. 50 

14. A mobile communication authentication method 
for authenticating a smart card connected to a 
mobile station, which accesses for roaming a net- 
work different from a home network of said smart 55 
card, said smart card and said home network 
having the same first secret key and using the 
same first cipher function, said mobile station 
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